By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Policy Condition for federated users

1

hi all, trying to understand how to write a resource policy where I want to DENY every user identity access unless that user identity has a permission set attached to it. So far I've got this but I am certain I've got the thinking wrong. Because if I run it then ${AWS:UserId} will be replaced by the identity of the account that is deploying the resource.

In a SSO setup, I've created few groups with users in those groups. The groups have permissions attached to them. I want the users belonging to a specific group have the correct permissions when they login using SSO and assume role. Uses from other groups should get a DENY.

Open to suggestions and help. Thanks in advance.

"Condition": {
                "ArnNotEquals": {
                    "aws:Principal": "arn:aws:sts::${AWS::AccountId}:federated-user/${AWS:UserId}"
                }
            }
Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS IAM Identity Center
Language
English
rePost-User-7546581
asked 2 years ago2763 views
1 Answer
0

Hi,

I understand that you want to write a resource policy to give least privilege policy to federated users.

Creating IAM Policies that grant least privilege is one of the best security practices[1] to create IAM role refer[2]. You can view the condition operators for Amazon Resource Name (ARN) on attached document[3]. The condition operator that you can use in a policy depends on the condition key you choose.

Please see the attached document [4] for reference identifiers.

I hope this helps

Resources:-

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html

[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html

Asisipho
answered 2 years ago
  • rePost-User-1248462
    2 years ago

    thanks @Asisipho, I guess the problem here is that the policy will end up looking like this. With 50 odd users to add to the condition will make it tedious exercise.

    "Condition": {
                "ArnNotEquals": {
                    "aws:Principal": "arn:aws:sts::123456789012:federated-user/JohnDoe",
                    "aws:Principal": "arn:aws:sts::123456789012:federated-user/Paulo",
                    "aws:Principal": arn:aws:sts::123456789012:federated-user/JaneDoe",
                    "aws:Principal": arn:aws:sts::123456789012:federated-user/User..n"

                }
            }"

    Is there any other/better way to address OP's question. I am also looking for something similar.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content